We recently contributed patches to the Sleuth Kit to read AFF4 images. While we are waiting for those to be pulled into the main distribution, the following recipe should suffice for compiling a stand alone copy on MacOS.
The following dependencies are needed to compile libAFF4 on OSX. I use MacPorts, and the corresponding packages i needed to install are:
* tclap (missing *.pc file – place in /opt/local/lib/pkgconfig/)
Clone and compile LibAFF4 (C/C++)
Use the following to clone the current release of libaff4, configure it, and install.
git clone https://github.com/google/aff4.git
git submodule update –init third_party/gtest
git reset –hard
./configure CC=clang CXX=clang++ CXXFLAGS=”-std=c++11 -stdlib=libc++ -O2 -g0 -I/opt/local/include” LDFLAGS=”-stdlib=libc++ -L/opt/local/lib”
sudo make install
Clone and compile the Sleuth Kit
Use the following to compile the sleuthkit with libaff4 support.
git clone https://github.com/blschatz/sleuthkit.git
git checkout release-4.4
autoreconf –force –install –verbose
sudo make install
We recently released Evimetry 3, the newest release of our revolutionary approach to forensic acquisition and analysis.
The big news is that we now support remote volatile memory acquisition. This means that in addition to being able to acquire remote disks, you can now acquire the volatile memory of live Windows, MacOS, and Linux hosts. We primarily support Windows XP and above (x86 and x64) and OSX Mountain Lion and above (x64). The coverage for Linux memory acquisition is limited to 64 bit Intel machines where the kmem driver is enabled.
Get straight to analysis.
In addition to acquiring the physical memory, we also acquire and store the entry points needed to find the kernel page tables and base kernel data structures. The benefit of this is that time-consuming scanning for these entry points (which are fundamental to further analysis) can be bypassed getting you to analysing evidence sooner.
We have developed patches to the leading volatile memory analysis frameworks, Volatility and Rekall, to support reading these images, and the patches for Volatility have been contributed to the main Volatility project on GitHub.
We take full advantage of Evimetry’s advanced compression to transport memory over the network at maximal rates. The effects of latency, a killer of network performance over long distance links, can be negated by pushing our networked evidence storage agents into the same network as the suspect computer.